Detection rules › Splunk
Windows Create Local Account
The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1136.001 Create Account: Local Account |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4720 | A user account was created. |
Stages and Predicates
Stage 1: tstats
tstats WHERE All_Changes.result_id=4720 BY All_Changes.user, All_Changes.dest, All_Changes.result, All_Changes.action
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
All_Changes.result_id | eq |
|